iven/hms
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0006e427e25f81227b7e7ca4fb2c35046405f209
hms/crates/erp-health/src/handler/diagnosis_handler.rs
iven 931edc3025 fix(security): 补全 XSS sanitize + 修复 sender_id 身份伪造 
安全审计修复:
- 补全 6 个 DTO 的 sanitize 方法(diagnosis/consent/alert/medication_record/medication_reminder/follow_up_template)
- 4 个 handler 添加 .sanitize() 调用(diagnosis/consent/alert_rule/medication_record)
- 修复咨询消息 sender_id/sender_role 从客户端提交改为服务端从 JWT 提取
- 修复小程序 AI 报告 markdownToHtml XSS(添加 sanitizeHtml 过滤)
2026-04-30 10:21:52 +08:00

103 lines
3.1 KiB
Rust
Raw Blame History

use axum::Extension;
use axum::extract::{FromRef, Json, Path, Query, State};
use serde::Deserialize;
use erp_core::error::AppError;
use erp_core::rbac::require_permission;
use erp_core::types::{ApiResponse, PaginatedResponse, TenantContext};
use crate::dto::diagnosis_dto::*;
use crate::dto::DeleteWithVersion;
use crate::service::diagnosis_service;
use crate::state::HealthState;
#[derive(Debug, Deserialize)]
pub struct PaginationParams {
pub page: Option<u64>,
pub page_size: Option<u64>,
}
pub async fn list_diagnoses<S>(
State(state): State<HealthState>,
Extension(ctx): Extension<TenantContext>,
Path(patient_id): Path<uuid::Uuid>,
Query(params): Query<PaginationParams>,
) -> Result<Json<ApiResponse<PaginatedResponse<DiagnosisResp>>>, AppError>
where
HealthState: FromRef<S>,
S: Clone + Send + Sync + 'static,
{
require_permission(&ctx, "health.health-data.list")?;
let page = params.page.unwrap_or(1);
let page_size = params.page_size.unwrap_or(20);
let result = diagnosis_service::list_diagnoses(
&state, ctx.tenant_id, patient_id, page, page_size,
)
.await?;
Ok(Json(ApiResponse::ok(result)))
}
pub async fn create_diagnosis<S>(
State(state): State<HealthState>,
Extension(ctx): Extension<TenantContext>,
Path(patient_id): Path<uuid::Uuid>,
Json(req): Json<CreateDiagnosisReq>,
) -> Result<Json<ApiResponse<DiagnosisResp>>, AppError>
where
HealthState: FromRef<S>,
S: Clone + Send + Sync + 'static,
{
require_permission(&ctx, "health.health-data.manage")?;
let mut req = req;
req.sanitize();
let result = diagnosis_service::create_diagnosis(
&state, ctx.tenant_id, patient_id, Some(ctx.user_id), req,
)
.await?;
Ok(Json(ApiResponse::ok(result)))
}
pub async fn update_diagnosis<S>(
State(state): State<HealthState>,
Extension(ctx): Extension<TenantContext>,
Path(diagnosis_id): Path<uuid::Uuid>,
Json(req): Json<UpdateDiagnosisWithVersion>,
) -> Result<Json<ApiResponse<DiagnosisResp>>, AppError>
where
HealthState: FromRef<S>,
S: Clone + Send + Sync + 'static,
{
require_permission(&ctx, "health.health-data.manage")?;
let mut data = req.data;
data.sanitize();
let result = diagnosis_service::update_diagnosis(
&state, ctx.tenant_id, diagnosis_id, Some(ctx.user_id), data, req.version,
)
.await?;
Ok(Json(ApiResponse::ok(result)))
}
pub async fn delete_diagnosis<S>(
State(state): State<HealthState>,
Extension(ctx): Extension<TenantContext>,
Path(diagnosis_id): Path<uuid::Uuid>,
Json(req): Json<DeleteWithVersion>,
) -> Result<Json<ApiResponse<()>>, AppError>
where
HealthState: FromRef<S>,
S: Clone + Send + Sync + 'static,
{
require_permission(&ctx, "health.health-data.manage")?;
diagnosis_service::delete_diagnosis(
&state, ctx.tenant_id, diagnosis_id, Some(ctx.user_id), req.version,
)
.await?;
Ok(Json(ApiResponse::ok(())))
}
#[derive(Debug, serde::Deserialize, utoipa::ToSchema)]
pub struct UpdateDiagnosisWithVersion {
#[serde(flatten)]
pub data: UpdateDiagnosisReq,
pub version: i32,
}
Reference in New Issue View Git Blame Copy Permalink